Fed agency issues security alert on Siemens imaging systems
The Department of Homeland Security and Siemens Healthineers have issued advisories detailing security vulnerabilities of four of the company’s diagnostic imaging systems.
Even an attacker with a low skill level would be able to exploit the vulnerabilities, Siemens warns. The vulnerable systems are Windows 7-based versions of the following systems:
• Siemens PET/CT Systems
• Siemens SPECT/CT Systems
• Siemens SPECT Systems
• Siemens SPECT Workplaces/Symbia.net
“Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code,” according to Siemens’ advisory. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”
NCCIC is the National Cybersecurity and Communications Integration Center within Homeland Security. ICS-CERT is the Industrial Control Systems Cyber Emergency Response Team within Homeland Security.
Siemens’ advisory lists four specific attacks that can take advantage of the security vulnerabilities, all of which can be exploited remotely.
Siemens is working on remediating the security flaws. For now, the company recommends running devices in a dedicated network segment and protected IT environment. If this is not possible, the company recommends that if patient safety and treatment are not at risk, disconnect products from the network and use them in standalone mode. In those instances, the product should be reconnected to the network only after a patch or other remediation is installed.
Siemens also advises that affected organizations have appropriate backups and system restoration procedures.
ICS-CERT recommends minimizing network exposure for all of the vendor’s medical devices and make sure they are not accessible from the Internet. Also, locate all medical devices and remote devices behind firewalls and isolate them from business networks.